How to Prepare and Apply for EUCC Certification for Your Product

The new Common Criteria Scheme, called the European Cybersecurity Certification Scheme (EUCC), is essential for harmonizing high-security cybersecurity certification of ICT products across EU member states. It facilitates mutual recognition of certifications, supports innovation, and ensures compliance with legal requirements. Fully effective from February 2025, the EUCC aims to provide a unified and robust framework for evaluating IT products, boosting consumer trust, and fostering a more secure digital environment.

‍

Understanding EUCC

EU cybersecurity certification scheme is developed by ENISA within the framework defined in the Cybersecurity Act and taking into account existing national schemes and Common Criteria standards. EUCC, the new cybersecurity scheme is a voluntary, Common Criteria-based cybersecurity certification initiative. It aims to harmonize the Common Criteria certification process across EU member states, providing a consistent and reliable standard for IT product security. 

‍

ICT suppliers looking to prove the security of their products can apply for the EUCC certification. The certification will be managed by EUCC-accredited Certification Bodies (CBs) and Information Technology Security Evaluation Facilities (ITSEFs), collectively known as Conformity Assessment Bodies (CABs). Below, we discover the key benefits of the EUCC scheme.

1. Harmonization and Standardization

The EUCC aims to harmonize the approach to cybersecurity certification across EU member states, reducing fragmentation and ensuring a consistent level of security assurance across the region. 

This alignment helps create a unified standard that all products can adhere to, simplifying the certification process for developers and raising trust among users and regulators.

2. Enhanced Security

With the growing complexity and interconnectedness of IT systems, there is a need for more robust security measures. The EUCC scheme provides a structured framework for evaluating the security properties of IT products, ensuring they meet stringent security requirements.

This is particularly important in the face of evolving cybersecurity threats. The scheme's rigorous assessment ensures that certified products are securely developed to be protected against a wide range of cyber threats, enhancing overall cybersecurity.

3. Facilitation of Mutual Recognition

By adopting the EUCC, the EU aims to facilitate mutual recognition of certifications across member states, reducing the need for multiple certifications for products sold in different countries.

This mutual recognition is critical for the smooth functioning of the single market, allowing products to be more easily traded across borders. This approach not only simplifies the process for manufacturers but also fosters greater trust and cooperation among EU member states.

4. Support for Innovation

The EUCC provides clear guidelines and requirements for cybersecurity, which can help developers and manufacturers integrate security features early in the product development cycle.

This proactive approach supports innovation by making it easier for companies to design and build secure products from the ground up. By incorporating security considerations early in the development process, companies can avoid costly redesigns and ensure their products meet the highest security standards from the outset.

5. Compliance with Legal Requirements

Adhering to the EUCC certification requirements demonstrates a product’s adherence to cybersecurity, which can be a significant advantage in today's regulatory environment and competitive market.

6. Consumer Trust and Confidence

The EUCC certification increases consumer trust and confidence in the security of IT products. Knowing that a product has been certified under a rigorous, standardized Common Criteria scheme reassures consumers about its security features, enhancing its marketability. Increased consumer trust can lead to higher adoption rates and greater customer loyalty, providing a competitive advantage for certified products.

Important Dates and Transition Information

The EUCC scheme will be fully effective from the end of February 2025. Developers and Sponsors should be aware that the existing Common Criteria (CC) national schemes will accept applications until the end of 2024 or the end of January 2025; however, any ongoing Common Criteria certification projects under the existing national schemes must be finalized by February 2026. 

The CC certificates issued during this transition period by the existing national schemes will also remain valid for five years even after the EUCC scheme is in operation from February 27th, 2025. From February 27th, 2025, the current national cybersecurity certification schemes will cease operation.

Although the EUCC transition is very well prepared and the concerned parties are all getting ready for the upcoming new scheme operation, it is still highly recommended to start your new CC certification project with the existing, well-known processes as soon as possible.

The EUCC certification is crucial for ICT products as it provides a recognized mark of assurance that the product meets stringent cybersecurity standards, enhancing its credibility in the market. Moreover, it facilitates the free movement of certified ICT products across EU countries, thereby expanding the potential customer base for the product.

The EUCC Certification Process

The EUCC scheme is voluntary (just like the Common Criteria was under the national scheme structure). ICT suppliers who wish to showcase proof of assurance can apply for certification. EUCC-accredited Certification Bodies (CBs) are replacing the National Certification Bodies (NCBs). CBs and accredited Testing Laboratories, now called Information Technology Security Evaluation Facilities (ITSEFs) together form the Conformity Assessment Bodies (CABs).

Step-by-Step Guide to Certification

To ensure your ICT product meets stringent cybersecurity standards, it is essential to understand the EUCC certification process. The following guide provides a detailed overview of each step, from initial application to final certification.

1. Application

The first step in the EUCC certification process is applying to a designated certification body accredited under the EUCC scheme. Identifying the appropriate certification body (CB) for your specific product or service is crucial, so it is recommended to choose an experienced CB that you, or your chosen ITSEF may already have experience with. The certification body will review your application to ensure it meets the necessary criteria, which includes an initial assessment of your product's suitability for certification and alignment with EUCC standards.

Provide Necessary Documentation

Once your application is submitted, you need to provide comprehensive documentation to the chosen testing laboratory (ITSEF). This includes:

• Technical specifications: Detailed descriptions of your product’s hardware and software components, architecture, and functionalities.
• User guides: Manuals and guides that explain how the product is used, including security features and operational procedures.
• Design documents: Architectural diagrams, design specifications, and any other documentation that outlines the internal workings of the product.
• Security features: Documentation of all security features implemented in the product, including encryption methods, access controls, and any other relevant security mechanisms.
• Lifecycle documentation: A set of documents that are produced during the different phases of a project, product, or service lifecycle that outlines the processes, tasks, or events that occur throughout these stages and generally serve to record, guide, and monitor the progress and quality of the project/product/service.
• Compliance information: If applicable, evidence of compliance with other relevant standards and regulations.

The testing laboratory (ITSEF) will use this documentation to thoroughly understand your product and assess its compliance with Common Criteria requirements based on the chosen assurance level (EAL). The provided Developer documents will serve as the basis of each Common Criteria evaluation class (ASE, ADV, AGD, ALC) and also for further tests during the AVA and ATE classes.

Select Supporting Partners

Choose a consulting partner and an accredited ITSEF (Information Technology Security Evaluation Facility) to facilitate the certification process. The selected ITSEF must be accredited for EUCC and prepared to work with the latest Common Criteria evaluation methodology, called CC2022, which replaces the earlier CCv3.1 revision 5. It is worth choosing a testing lab that has several years of experience in Common Criteria and is properly prepared for the EUCC processes. Your consulting partner can guide and support you throughout the certification process, helping you navigate the complexities and meet all requirements.

2. Preparation

This phase can take several weeks to months, depending on the complexity of the product (TOE - Target of Evaluation), the required Evaluation Assurance Level (EAL) and most importantly the allocated time and resources the Sponsor/Developer is willing to provide. You will work closely with your consultant during this time to plan the evaluation process. 

Consider Hiring Consultants

Hiring experts in EUCC certifications can streamline the application process and provide valuable guidance, that will save time and money for your organization. These professionals can help you understand the requirements, prepare documentation, and address any potential issues that may arise during the evaluation process.

Training and Documentation Review

Attend training sessions on Common Criteria certification and EUCC to enhance your understanding of the certification process. Conduct a thorough review of all documentation to ensure it meets the requirements and is free of errors or omissions. This step is critical for avoiding delays and ensuring your application and the provided developer documentation are ready for evaluation.

Internal Audit

Perform an internal audit to verify that all necessary information is complete and accurate before submission. This step helps identify and address any potential issues before the ITSEF during the assessment flags them. An internal audit can also help you ensure that your product meets all necessary security requirements and is prepared for the evaluation process.

3. Evaluation and Assessment

This phase involves thoroughly examining your product’s security features and compliance with Common Criteria requirements. It includes several critical steps, such as a document evaluation, functional and penetration testing, and potentially a site visit.

Document Evaluation

The chosen testing laboratory (ITSEF) will review your application and supporting documentation to ensure it meets the Common Criteria requirements of the chosen EAL.

It is important to understand that the submitted technical document – the Security Target – is not reviewed for compliance with CC requirements before submission. Consultation and evaluation are strictly separate processes, even if a consultant is involved. There is no prior review, so any errors made by the consultant will only be discovered during the evaluation phase. At this point, a formal notification will be issued.

During the document evaluation, the ITSEF will assess the provided Developer documents of the following evaluation classes:

• ASE - Security Target (ST)

The Security Target, which is the basic document for ASE class evaluation. This comprehensive document serves as a roadmap for the product's security aspects. It outlines the product's intricacies, intended usage, security objectives, and necessary security measures. Crafting a robust Security Target is essential for demonstrating how the product aligns with the relevant Protection Profile and/or the chosen EAL level.

• ADV - Design Documents

Complementing the Security Target are design documents that offer detailed insights into the product's architecture, design rationale, and security implementation strategies. These documents during ADV class evaluation give evaluators a deep understanding of the product's inner workings, enabling them to assess its security posture effectively.

• AGD - User Guides

User Guides are pivotal in facilitating secure installation, configuration, and product usage. By providing clear and concise instructions, these guides empower end-users to effectively leverage the product's security features. Including comprehensive guidance on security best practices enhances the overall security posture of the product, further supporting its Common Criteria certification process during AGD class evaluation.

• ALC - Lifecycle documentation

Lifecycle documentation refers to a set of documents that are produced during the different phases of a project, product, or service lifecycle. These documents outline the processes, tasks, or events that occur throughout these stages, and generally serve to record, guide, and monitor the progress and quality of the project/product/service. These documents will be evaluated during ALC class.

Functional and Penetration Testing

The ITSEF will conduct thorough testing of your product’s security features. This phase can last several weeks, depending on the product's complexity and the amount of testing required. The tests will verify whether your product's security features function as described in the documentation and meet Common Criteria requirements or not. Testing typically includes:

• ATE - Functional testing: During ATE evaluation class the testlab will be assessing whether the product's security features work as intended and meet the specified requirements.
• AVA - Penetration testing: Evaluating the product's resilience against cyberattacks and identifying any vulnerabilities that attackers could exploit. This is called the AVA evaluation class.

Site Visit (if required)

A site visit may be conducted if the EAL level specifies it. During this visit, the ITSEF will inspect your facilities and operations to ensure they meet the chosen requirements. This allows the ITSEF (and the certification body) to verify the information contained in the developer documents and observe your cybersecurity measures in action.

Evaluation Report

After all the evaluations and tests have been completed and passed, a final evaluation technical report (ETR) is prepared. This report documents the evaluation results and provides a detailed analysis of your product’s compliance with Common Criteria standards. The ETR includes the results of each evaluation class and is submitted to the CB after completion. The evaluation phase and ITSEF tasks end here, after this, the certification phase begins. 

4. Certification

In the final phase, the CB executes a comprehensive review of the evaluation results and involves the issuance of the EUCC certificate if all criteria are met. This phase is crucial as it validates your product's compliance with stringent cybersecurity standards.

Certification Decision

The certification body will accept the final ETR, which will be the basis of a decision based on the evaluation results, and other relevant information obtained during the certification process. This phase can take 3-4 months as it thoroughly examines all gathered data. The decision process includes two major steps.

• Reviewing the evaluation technical report (ETR): Ensuring that all identified issues have been addressed and that the product meets all necessary requirements.
• Final assessment: Conducting a final assessment to verify that all criteria have been met and that the product is ready for certification.

Issuance of certificate

If all requirements are met, the EUCC certificate will be issued. This certification validates that your product meets Common Criteria requirements and demonstrates its robust cybersecurity measures. 

The evaluation process, including all testing laboratory tasks, may take 6-8 months to complete, but projects usually take 12-13 months on average before the certificate is issued, according to our experience. This timeline can vary depending on the complexity of the product and the thoroughness of the preparation and evaluation processes.

Summary

In conclusion, obtaining the EUCC certification is a rigorous but rewarding process that can significantly enhance the credibility and security of your ICT product in the European market. By understanding the requirements, preparing effectively, and navigating the assessment process, you can demonstrate your commitment to cybersecurity and gain a competitive edge in the industry.

CCLab provides assessment and advisory services for companies pursuing Common Criteria evaluation certifications under the existing national schemes and also under the upcoming EUCC scheme. By utilizing agile methodologies during consultation and pre-evaluation, clients can effectively navigate potential obstacles, avoid unexpected costs, and improve the efficiency of the certification process.